More Passwords, More Problems

The more we depend on the Web, the more passwords we accumulate—and forget. Some startups think they have a solution.

It’s easy to remember one username and password. Keeping five or 10 straight is much harder. Password overload has long afflicted techies, but as we all spend more time doing everything from shopping to banking to playing games on the Web, it’s become a more widespread problem.

A number of companies are trying to combat the problem. Approaches range from password managers that secure your login details with one master password to methods that eliminate the need for multiple passwords in the first place.

A 2007 study by Microsoft Research explored the strength, frequency, and usage of passwords belonging to 500,000 computer users. The study found that each person had an average of 6.5 passwords that they used for 25 different online accounts—meaning each password was being recycled about four times.

Five years later, most of us have many more accounts that we access across desktop computers, smartphones, and tablet computers. But we’re probably no better at coming up with secure passwords—ones that can’t be easily guessed or cracked using a computer—and, as high-profile security breaches at websites like LinkedIn and eHarmony show, weak passwords put our online identities at risk.

The most common tool for organizing a glut of passwords is the password manager, but few people use them, says Cormac Herley, an author of the 2007 Microsoft Research study. A startup called Dashlane is hoping to change this, with a simple password management and automated form-filling tool that it says can make it easier to shop online. Dashlane encrypts and stores passwords on a user’s computer or smartphone. Then only the master password—which is not stored on Dashlane’s servers—can be used to access the information.

The company emerged from a private beta test in April, and Daniela Perdomo, Dashlane’s director of user growth, says it currently has hundreds of thousands of users who have collectively stored 1.5 million passwords with its desktop and smartphone software (most are using a free version of the service). She claims Dashlane’s auto-form-filling technology is accurate about 90 to 95 percent of the time.

The weak spot here, of course, is forgetting your master password. But the approach also makes it more difficult for others to gain access to your data simply by stealing your device. And setting up a password manager could inspire you to make your individual passwords more secure, knowing that now you’ll only need to remember that one master password to access all your accounts on your computer. Perdomo acknowledges that most people aren’t ready to be proactive about weak or identical passwords. “The average person doesn’t care until they get hacked,” she says, echoing the opinion of several security experts.

Another key drawback of password managers is that they often need to be installed and synched on each device you use to access your accounts. This might be convenient if you’re on your home or work computer, but less so if you’re at a friend’s house.

Chances are that you’ll have your smartphone on you, though. It, too, is coming into play as a way to balance login security and convenience. That’s the idea behind PhoneID, which software engineers Mike Thomas and Vahur Roosimaa created in early September at a hackathon—a marathon coding event where programmers come up with new ideas—hosted by tech blog TechCrunch. Currently a prototype, PhoneID lets you log in to websites with your desktop computer by using your smartphone to scan an on-screen QR code, Thomas says. This way, you would never have to type in a username and password.

The first time you visit a participating website on your desktop computer, a QR code would pop up on the screen. Scanning it with your phone would prompt your computer to ask for your phone number, and PhoneID would send your cell phone an SMS that could be clicked to log you in to the site and authenticate you. On subsequent visits, scanning an on-screen QR code would immediately log you in.

PhoneID requires a website to add several lines of code. And while it could be set up to work with sites where you already have an account and password, it’s currently geared toward setting up a new account on a site. Thomas says the approach could save websites from having to store and guard password information, and save consumers from remembering their login credentials. “Even for someone who’s technically savvy, keeping track of all your passwords is difficult,” he says.

Gartner analyst Gregg Kreizman thinks solutions like PhoneID will become more common as companies take advantage of the cameras, sensors, and geolocation capabilities of smartphones. These features could help by providing other ways of authenticating users, he says.

But what if we could just cut down on passwords altogether? The most popular existing examples of this approach are Facebook Connect and Sign in with Twitter, two services that let you log in to websites with your Facebook or Twitter credentials. This makes things convenient for users, while also granting sites access to some of your personal information. It’s not all that secure, though. Another approach came recently from Intel, which, at the Intel Developer Forum, announced a futuristic-sounding plan to authenticate people by reading vein patterns.

A startup called OneID has a different idea. It requires websites to use its login method, which uses public key cryptography—security technology that encrypts and decrypts data using two kinds of “key” belonging to each party, one kept secret and the other published openly—and knowledge of the devices you use to securely sign you in with a single click.

OneID founder Steve Kirsch, who also founded the search engine Infoseek, says that when a user hits a OneID button on a website, the site sends his or her public “key” to the user’s computer. That key is then forwarded to a OneID server, which can make a swift determination based on the website’s specifications and user’s preferences about what needs to happen next—if additional authentication is required, or if the user can simply be allowed to enter the site.

OneID users don’t need to set a password. A smartphone app that approves higher-risk activities like making online purchases requires a PIN, though. While someone could still steal your computer and then gain access to some low-security websites that don’t require two-factor authentication, you could disable that device’s OneID access remotely to stop the breach.

OneID is in the process of rolling out its technology, though the company could not name any sites that are using it. Kirsch says the company is going after sites, such as e-commerce businesses and banks, that require high security. “As they give it a shot and people see the results, then more and more people will give it a shot,” Kirsch says.

Moxie Marlinspike, a San Francisco-based computer security researcher, says single sign-ons that focus on security are a tough sell. “Most of those sites don’t see the convenience of not having to manage a username and password as a real benefit,” he says, and if they choose to enable one they’ll typically go with the Facebook or Twitter options since that will give them access to some of a user’s social information.

Marlinspike thinks that in order to get users to change their behaviors, developers will need to keep working to make security as invisible as possible. But, he says, passwords will likely be with us for a while.

Tagged

Credit

As MIT Technology Review’s senior editor for mobile, I cover a wide variety of startups and write gadget reviews out of our San Francisco office. I’m curious about tech innovation, and I’m always on the lookout for the next big thing. Before… More arriving at MIT Technology Review in early 2012, I spent five years as a technology reporter at the Associated Press, covering companies including Apple, Amazon, and eBay, and penning reviews. I’ve also worked as a freelancer, covering both technology and crime for the New York Times.

I grew up mostly in Palo Alto, California, where companies like Hewlett-Packard and Google were simply a part of everyday life. But I didn’t discover my love for tech coverage until 2003. That’s when I accidentally discovered a major security lapse in Palo Alto Unified School District’s wireless network, which allowed anyone with Wi-Fi to view sensitive student information, including psychological profiles identified with full names. When not hard at work on a MIT Technology Review story, I can be found cycling around the Bay Area.